ContextQMD
Back to Grafana

Configure SCIM provisioning

docs/sources/setup-grafana/configure-access/configure-scim-provisioning/_index.md

13.0.113.3 KB
Original Source

Configure SCIM provisioning

System for Cross-domain Identity Management (SCIM) is an open standard that allows automated user provisioning and management. With SCIM, you can automate the provisioning of users and groups from your identity provider to Grafana.

{{< admonition type="note" >}} Available in Grafana Enterprise and Grafana Cloud. {{< /admonition >}}

Benefits

{{< admonition type="note" >}} SCIM provisioning only works with SAML authentication. Other authentication methods aren't supported. {{< /admonition >}}

SCIM offers several advantages for managing users and teams in Grafana:

  • Automated user provisioning: Automatically create, update, and disable users in Grafana when changes occur in your identity provider
  • Automated team lifecycle management: Automatically create teams when new groups are added, update team memberships, and delete teams when groups are removed from your identity provider
  • Reduced administrative overhead: Eliminate manual user management tasks and reduce the risk of human error
  • Enhanced security: Automatically disable access when users leave your organization

Authentication and access requirements

When you enable SCIM in Grafana, the following requirements and restrictions apply:

  1. Use the same identity provider for user provisioning and for authentication flow: You must use the same identity provider for both authentication and user provisioning.

  2. Security restriction: When using SAML, the login authentication flow requires the SAML assertion exchange between the Identity Provider and Grafana to include the userUID SAML assertion with the user's unique identifier at the Identity Provider.

    • Configure userUID SAML assertion in Entra ID
    • Configure userUID SAML assertion in Okta

Align SAML identifier with SCIM externalId

When you use SAML with SCIM provisioning, align the SCIM externalId with the SAML user identifier. Use a stable IdP attribute (for example, Entra ID user.objectid) as the SCIM externalId, and send that same value as a SAML claim. Configure Grafana to read this claim with the assertion_attribute_external_uid setting so SAML authentication links to the SCIM-provisioned user and its permissions.

If the SAML identifier and SCIM externalId differ, Grafana may not link the authenticated user to the intended SCIM profile, which can result in incorrect access. Verify your IdP sends a stable, unique identifier and that it matches the SCIM externalId. Refer to your IdP docs and the Grafana SCIM integration guides for Entra ID and Okta for attribute configuration details.

Configure SCIM using the Grafana user interface

You can configure SCIM in Grafana using the Grafana user interface. To do this, navigate to Administration > Authentication > SCIM.

The Grafana SCIM UI provides the following advantages over configuring SCIM in the Grafana configuration file:

  • It is accessible by Grafana Cloud users
  • It doesn't require Grafana to be restarted after a configuration update
  • Using the authentication settings permission allows us to restrict Grafana’s access scope rather than relying on an overly permissive role such as Admin.

{{< admonition type="note" >}} Any configuration changes made through the Grafana user interface (UI) will take precedence over settings specified in the Grafana configuration file or through environment variables. This means that if you modify any configuration settings in the UI, they will override any corresponding settings set via environment variables or defined in the configuration file. {{< /admonition >}}

Configure SCIM settings

Sign in to Grafana and navigate to Administration > Authentication > SCIM. Here you can configure the following settings:

SettingRequiredDescriptionDefault
Enable Group SyncNoEnable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled.false
Reject Non-Provisioned UsersNoWhen enabled, prevents non-SCIM provisioned users from signing in. Cloud Portal users can always sign in regardless of this setting.false
Enable User SyncYesEnable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider.false

The SCIM UI also displays information that may help you configure SCIM in your identity provider, including stack domain, stack ID, and tenant URL.

Next steps

After configuring SCIM in Grafana, configure your identity provider:

Configure SCIM using the configuration file

The table below describes all SCIM configuration options. Like any other Grafana configuration, you can apply these options as environment variables.

SettingRequiredDescriptionDefault
user_sync_enabledYesEnable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider.false
group_sync_enabledNoEnable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled.false
reject_non_provisioned_usersNoWhen enabled, prevents non-SCIM provisioned users from signing in. Cloud Portal users can always sign in regardless of this setting.false

{{< admonition type="warning" >}} Team Sync Compatibility:

  • SCIM group sync (group_sync_enabled = true) and Team Sync cannot be enabled simultaneously
  • You can use SCIM user sync (user_sync_enabled = true) alongside Team Sync
  • For more details about migration and compatibility, see SCIM vs Team Sync {{< /admonition >}}

Example SCIM configuration

ini
[auth.scim]
user_sync_enabled = true
group_sync_enabled = false
reject_non_provisioned_users = false

Configure SCIM using Terraform

You can also configure SCIM provisioning in Grafana using the Grafana Terraform provider. This approach is particularly useful for infrastructure-as-code deployments and automated provisioning.

Terraform SCIM configuration example

hcl
resource "grafana_scim_config" "scim_config" {
  user_sync_enabled            = true
  group_sync_enabled           = false
  reject_non_provisioned_users = false
}

Terraform SCIM configuration options

The Terraform grafana_scim_config resource supports the same configuration options as the manual configuration:

SettingRequiredDescriptionDefault
user_sync_enabledYesEnable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider.false
group_sync_enabledNoEnable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled.false
reject_non_provisioned_usersNoWhen enabled, prevents non-SCIM provisioned users from signing in. Cloud Portal users can always sign in regardless of this setting.false

Supported identity providers

The following identity providers are supported:

How it works

The synchronization process works as follows:

  1. Configure SCIM in both your identity provider and Grafana
  2. Your identity provider sends SCIM requests to the Grafana SCIM API endpoint
  3. Grafana processes these requests to create, update, or deactivate users and teams, and synchronize team memberships

Comparison with other sync methods

Grafana offers several methods for synchronizing users, teams, and roles. The following table compares SCIM with other synchronization methods to help you understand the advantages:

Sync MethodUsersTeamsRolesAutomationKey BenefitsLimitationsOn-PremCloud
SCIM⚠️FullComplete user and team lifecycle management with automatic team creationRequires SAML authentication; uses Role Sync for basic roles
Team Sync⚠️PartialSyncs team memberships to existing teamsRequires manual team creation; no team lifecycle management
Active LDAP SyncFullBackground synchronization of LDAP usersLimited to LDAP environments
Role SyncFullFull automation of basic role assignmentLimited to basic roles only
Org Mapping⚠️FullFull automation of basic role assignment per organizationLimited to basic roles only; on-premises only⚠️

Key advantages

  • Comprehensive user and team automation: SCIM provides full automation for user and team provisioning, while role management is handled separately through Role Sync
  • Dynamic team creation: Teams are created automatically based on identity provider groups
  • Near real-time synchronization: Changes in the identity provider are reflected based on the provider synchronization schedule
  • Enterprise-ready: Designed for large organizations with complex user management needs

Next steps